Compliance Exam Preparation for Banks (2026)

Every compliance officer knows the pattern. Three weeks before an exam, you get the document request list. Then the fire drill starts: tracking down training records, pulling board minutes, reconstructing evidence of work you know happened but can't prove on demand. The exam itself isn't the problem. The preparation sprint - and the gaps it reveals - is what creates findings.

Recurring compliance exams don't have to work this way. Banks and fintechs that maintain continuous exam readiness spend days on preparation instead of weeks, because evidence was captured when the work happened, not assembled after the fact.

Key Takeaways:

• Examiners evaluate your process and documentation, not just outcomes
• The most common findings stem from missing evidence, not missing knowledge
• Exam preparation should take days, not weeks - if it takes weeks, your evidence capture process is broken
• Different exam types (BSA/AML, consumer compliance, CRA, safety and soundness) require different evidence packages

What Examiners Actually Evaluate

Examiners don't arrive with a pass/fail checklist. They evaluate whether your compliance management system (CMS) is effective at managing regulatory risk. The FFIEC Compliance Management System framework defines three components:

Board and management oversight: Is compliance a priority at the institutional level? Examiners look at board minutes, committee reports, compliance staffing, and budget allocation. A compliance program that exists only on paper - with no evidence of management engagement - draws immediate scrutiny.

Compliance program: Do you have policies, procedures, training, and monitoring appropriate to your risk profile? This is where most banks feel comfortable - policies exist, training happens. But the next question is harder.

Compliance audit: Is there independent testing of your compliance program, and does it actually find things? An audit that reports zero findings isn't comforting to examiners - it suggests the audit wasn't thorough enough.

The thread connecting all three: documentation. Examiners can't evaluate what they can't see. Every assertion you make about your compliance program must be backed by evidence they can review.

The Evidence Gap: Why Exam Prep Takes Weeks

The typical pre-exam scramble happens because evidence of compliance work is scattered across systems:

• Training records in the LMS
• Policy approvals in email
• Board minutes in the corporate secretary's files
• Vendor assessments in shared drives
• SAR decisions in the BSA case management system
• CDD reviews in the core banking system
• Remediation tracking in spreadsheets

Each of these systems has the evidence. None of them talk to each other. When an examiner asks "show me evidence of your quarterly high-risk customer reviews," someone has to go find the review records, match them to the review schedule, verify completion dates, and package them in a format the examiner can consume.

Multiply that by every line item on the document request list - sometimes 50-100 items - and you understand why exam prep takes 3-5 weeks.

Automated evidence collection eliminates the assembly problem by capturing proof at the moment work is completed. The review happened. The approval was recorded. The training was documented. The evidence already exists in a retrievable format. Exam prep becomes export and review, not search and reconstruct.

Exam Types and What Each Requires

Different examination types focus on different regulatory areas. Knowing what each exam evaluates helps you prepare the right evidence.

BSA/AML Examination

BSA/AML exams evaluate your program against the FFIEC BSA/AML Examination Manual. Key evidence areas:

• CIP/CDD documentation - Sample account opening files showing identity verification and risk rating
• Transaction monitoring - Alert volumes, investigation timelines, SAR filing statistics
• SAR filing - Sample SARs with investigation narratives and 30-day timeline compliance
• OFAC screening - Evidence of list updates and match handling procedures
• Independent testing - Most recent testing report with finding remediation
• Training - Completion records by role with content relevance to BSA responsibilities

See the complete BSA/AML compliance checklist →

The BSA/AML exam is the most evidence-intensive. Examiners will pull transaction samples and trace them through your monitoring, investigation, and filing processes. They'll check timestamps. If your SAR was filed 35 days after the alert was generated, they'll document that.

Consumer Compliance Examination

Consumer compliance exams cover the full range of consumer protection regulations. Priority areas in 2025-2026:

• Fair lending (ECOA/Reg B) - Pricing analysis, underwriting consistency, comparative file reviews
• TILA/Reg Z - Disclosure accuracy, APR calculations, right of rescission procedures
• UDAAP - Marketing review, complaint analysis, fee practices
• FCRA - Adverse action notice compliance, dispute handling timeliness
• Reg E - Electronic fund transfer error resolution procedures and timelines

Evidence requirements focus on transaction-level documentation: sample loan files, disclosures provided to consumers, complaint logs, and error resolution records.

Fair Lending Exam Preparation

Fair lending examinations deserve special attention because they carry significant risk. Examiners conduct statistical analysis of your lending data and comparative file reviews looking for disparities by prohibited basis (race, sex, national origin, age, etc.) under ECOA (15 U.S.C. § 1691) and the Fair Housing Act (42 U.S.C. § 3605).

Evidence you need:

• Underwriting policies with documented criteria and any discretionary overlays
• Pricing policies with rate sheet methodology and exception documentation
• Exception tracking - Every loan where terms deviated from policy, with documented rationale
• Statistical analysis - Your own fair lending analysis, if performed
• Training records - Fair lending training for all lending staff
• Complaint data - Consumer complaints alleging discrimination, with investigation records

The most dangerous fair lending finding: pricing or underwriting exceptions that disproportionately favor or disfavor protected classes, with no documented business justification for the exceptions.

CRA Examination

Community Reinvestment Act examinations evaluate whether your institution meets the credit needs of your assessment areas. Evidence requirements under the current CRA framework (12 CFR § 25, § 228, § 345):

• Lending test data - HMDA LAR, small business/small farm loan data, community development loans
• Investment test data - Qualified investments with documentation of community development purpose
• Service test data - Branch distribution, hours, products available by income geography
• Assessment area - Delineation maps, demographic data, credit needs analysis
• Strategic plan - If applicable, plan documentation with measurable goals

Safety and Soundness Examination

Safety and soundness exams cover a broader scope including capital adequacy, asset quality, management, earnings, liquidity, and sensitivity to market risk (CAMELS). The compliance-relevant areas:

• Risk management frameworks - Policies, procedures, and controls across risk categories
• Internal audit - Audit plan, reports, and finding remediation
• Vendor management - Third-party risk assessment under OCC Bulletin 2013-29 / FDIC FIL-44-2008
• IT/Cybersecurity - FFIEC Cybersecurity Assessment Tool results, incident response testing
• Board oversight - Minutes showing active engagement on risk and compliance matters

Building a Continuous Exam Readiness Program

The shift from pre-exam scramble to continuous readiness requires three changes:

Evidence Captured at Completion

Every compliance task - policy review, training completion, vendor assessment, monitoring activity - should generate evidence at the moment it's completed. Not next week. Not when someone asks for it. At completion.

This means your compliance workflows must include evidence capture as a built-in step, not an afterthought. When a high-risk customer review is completed, the review document, reviewer name, completion date, and findings are recorded automatically.

Centralized Evidence Repository

Scattered evidence is lost evidence. All compliance documentation - policies, procedures, training records, assessment reports, remediation tracking, board materials - should be accessible from one system. When an examiner requests "training completion records for BSA staff," the answer should be a query and export, not a hunt through three different systems.

Ongoing Self-Assessment

Don't wait for examiners to find gaps. Run your own readiness checks quarterly:

• Are all recurring tasks completed on schedule?
• Are there overdue items?
• Is evidence attached to completed tasks?
• Are policy reviews current?
• Is training up to date by role?
• Is the independent testing plan on track?

Quarterly self-assessment converts exam preparation from a periodic crisis to a continuous process.

The Document Request List: What to Have Ready

Regardless of exam type, most document request lists include common items. Maintaining these in an accessible, current state eliminates the majority of prep work.

Always requested:

• Current organizational chart with compliance reporting lines
• Board and committee meeting minutes (last 12 months)
• Compliance committee reports
• Compliance risk assessment (most recent)
• Audit/independent testing reports (last 2 years)
• Audit finding remediation tracking
• Policy and procedure manuals (current versions with approval dates)
• Training program materials and completion records
• Complaint log with resolution documentation
• Regulatory change management documentation
• Vendor/third-party management program documentation

BSA/AML specific:

• BSA/AML risk assessment
• SAR filing log with investigation timelines
• CTR filing reports
• OFAC screening logs
• CDD/EDD sample documentation
• 314(a) and 314(b) information sharing documentation

Consumer compliance specific:

• Fair lending analysis
• Complaint analysis by product and issue type
• Adverse action notice samples
• Disclosure review results
• Exception tracking logs

Audit Remediation: Closing Findings Before the Next Exam

Examiners review prior findings at every examination. Open findings from previous exams - particularly repeat findings - signal management weakness and draw elevated scrutiny.

Effective audit remediation requires:

1. Root cause analysis - Why did the finding occur? If the answer is "someone forgot," the real root cause is a process gap.
2. Corrective action plan - Specific actions, owners, and deadlines. "We will improve our process" isn't a plan.
3. Implementation evidence - Proof that corrective actions were completed. Policy updated, training delivered, system modified, monitoring implemented.
4. Validation testing - Evidence that the corrective action actually fixed the problem. Test samples post-remediation.
5. Ongoing monitoring - How you'll prevent recurrence. What monitoring or controls will detect if the issue resurfaces.

Track remediation formally. Each finding should have documented status: open, in progress, completed, validated. Examiners will ask for this tracking at the next exam.

How Teams That Stay Exam-Ready Operate

The pattern is consistent across institutions that have moved past the exam prep scramble: compliance work generates its own evidence, evidence is accessible on demand, and self-assessment catches gaps before examiners do.

Canarie operationalizes this pattern. Regulatory requirements map to executable workflows with evidence capture built in. Recurring tasks run on schedule with escalation on overdue items. Exam preparation reduces to assembling and reviewing evidence packages that already exist - days instead of weeks.

See how compliance teams eliminate exam prep scrambles →

Frequently Asked Questions

How far in advance do examiners send the document request list?

Typically 2-4 weeks before the examination start date, though this varies by agency and exam type. Some agencies provide a preliminary list weeks earlier. Regardless of timing, if your evidence capture is continuous, the notice period is sufficient.

What's the difference between an MRA and a violation?

A Matter Requiring Attention (MRA) indicates a practice that could lead to violations or unsafe conditions if not corrected. A violation means you've breached a specific law, regulation, or requirement. MRAs require corrective action plans; violations may carry enforcement consequences. Both appear in examination reports and must be addressed before the next exam.

How do examiners select transaction samples?

Examiners typically use risk-based sampling, focusing on higher-risk products, customers, and transactions. They'll also pull random samples to test general compliance. For fair lending, they may use statistical models to identify potential outliers. You won't know exactly which transactions they'll review, which is why consistent compliance execution across all transactions matters.

What if we disagree with an examination finding?

You can respond through the examination report response process. Provide factual evidence supporting your position. If you can demonstrate that the finding is factually incorrect - with documentation - examiners may modify or withdraw it. Disagreements about regulatory interpretation are harder to resolve and may require escalation through the agency's appeals process.

How often do recurring compliance exams happen?

Federal examination cycles depend on your primary regulator, asset size, and risk profile. Most community banks under $3 billion in assets are examined every 18 months. Banks with higher risk profiles or prior examination issues may be examined annually. State examinations add additional cycles. Fintechs under CFPB jurisdiction face examination schedules based on the agency's supervision priorities.